fix: add directory validation for session creation and retrieval #3018
Conversation
세션 가져오기 로직을 루프 기반 폴백으로 개선하고, 세션이 발견되지 않을 경우 명시적 오류를 발생시킵니다.
|
If allowing session creation in external folders (outside the project scope), it might be better to support full project CRUD operations instead, as the API currently lacks project deletion and management features. |
|
I think that kind of secret contract just grew out of it being a single user, bundled application, I want to use this in cloudflare with client at home but this neede to get sorted out first for that. I dont know if you ever looked at the spec, but every operation endpoint has a single optional directory param that the client gives and yeah, its used to kind of push the server around when really the server should be locked down by configuration before it ever starts |
Yes, I actually discovered this bug while trying to set up a headless home lab like Google Jules, and that aspect was concerning from both security and design standpoints. However, I worried that hastily fixing the bug might disrupt existing workflows. That's why I included the question in the PR description. |
github-actions
bot
force-pushed
the
dev
branch
from
772b621 to
eb855e1
Compare
github-actions
bot
force-pushed
the
dev
branch
3 times, most recently
from
f1dc981 to
3e15a39
Compare
github-actions
bot
force-pushed
the
dev
branch
3 times, most recently
from
f8ee907 to
6a9856d
Compare
Session.get() was failing when sessions were accessed from a different project context (subagents, nested PTYs, SDK clients with different dir). - Add resolveProjectID() helper that searches all project directories - LRU cache (1000 entries) for resolved projectIDs - Update get(), update(), remove() to use the helper Fixes anomalyco#8538 Related to anomalyco#7773 Builds on approach from anomalyco#3018 by @zenyr
|
Closing due to lack of activity, being outdated & superseded by #9474, thank you!! |
2 participants
Issues
Session creation allowed nonexistent directories or paths outside the project scope, causing invalid sessions. Retrieval failed when accessing sessions created in different project contexts.
Fixes
Session.createusing Bun's native APIs to prevent invalid session creation.Session.getwith loop-based fallback to global project, enabling cross-project session access.Question
Is allowing arbitrary directory specification (e.g., /root/ for a project in /user/foo) intentional? This enables cross-project work but may confuse users. Should we restrict to project-related directories?
Fixes API inconsistency reported in bug analysis.